syngod
Moderator
Mozilla Firefox "Host:" Buffer Overflow
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Severity:
Critical
Vendor:
Mozilla
Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)
Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior
versions which allows for an attacker to remotely execute arbitrary code on a affected
host.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the NormalizeIDN
call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an
empty string. Meaning, Firefox appends 0 to approxLen and then appends the long
string of dashes to the buffer instead. The following HTML code below will reproduce
this issue:
'<A HREF=https:--------------------------------------------- >'
Simple, huh? ;-]
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Source: Security Protocols
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Severity:
Critical
Vendor:
Mozilla
Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)
Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior
versions which allows for an attacker to remotely execute arbitrary code on a affected
host.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the NormalizeIDN
call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an
empty string. Meaning, Firefox appends 0 to approxLen and then appends the long
string of dashes to the buffer instead. The following HTML code below will reproduce
this issue:
'<A HREF=https:--------------------------------------------- >'
Simple, huh? ;-]
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Source: Security Protocols
